ZeroDayRAT Spyware Sold on Telegram Targets Android 15, iOS 26

A new spyware platform is for sale on Telegram

A new, highly aggressive spyware platform called ZeroDayRAT is now being sold on Telegram. The service includes customer support and updates, making sophisticated surveillance tools easily accessible to threat actors.

According to mobile security firm iVerify, the malware provides full remote control over devices running Android 15 through 16 and iOS versions up to iOS 26. Once installed, it enables user profiling, location tracking, live surveillance, and financial theft.

ZeroDayRAT's extensive spying capabilities

iVerify reports that ZeroDayRAT's capabilities have traditionally been seen in state-sponsored spyware. The malware can perform a wide range of invasive actions on a compromised device.

• It collects comprehensive device data, including model, OS, battery status, country, lock status, SIM info, app usage, live activity, and SMS previews to build user profiles.
• It pulls GPS coordinates, captures notifications, and harvests account information like usernames and emails.
• The spyware can send SMS messages and intercept verification codes to bypass two-factor authentication.
• It logs keystrokes (including biometric unlocks), accesses the camera and microphone for live surveillance, and can record the screen.
• It also targets financial data by logging crypto wallet addresses and stealing banking app credentials through overlay attacks.

How the spyware infects devices

ZeroDayRAT can only infect a device if a user downloads and installs a malicious file. This is typically a malicious APK on Android or a payload on iOS.

These files are distributed through phishing links sent via email, text, or messaging apps like Telegram and WhatsApp. They can also be found in fake app stores posing as legitimate marketplaces.

How to protect your device

All standard guidance for avoiding malware applies. Never click links in unsolicited messages, and only download apps from official, trusted sources like the Google Play Store or Apple App Store.

Users at high risk of targeting, such as journalists or activists, can enable extra security features. Apple offers Lockdown Mode for iOS, and Google provides Advanced Protection for Android, which add significant layers of defense against such spyware.